The War on Privacy Opens a New Front

In the aftermath of many well publicized data breaches, in the past few years, more than 40 U.S. states have enacted data breach disclosure laws—“identity theft” statutes—which, among other things, require consumers to be notified when personally identifiable information is or may have been compromised in a database. But recent reports citing ineffectiveness of such legislation (e.g., Carnegie Mellon University researchers found notification laws only reduce identity theft by around 2 percent) and a growing sense that notification laws don’t prevent the problem, have caused some states to examine other approaches. At least two states, Nevada and Massachusetts, have enacted different legislation aimed at prevention, and Washington and Michigan are actively considering new measures.

Nevada’s law requires businesses to encrypt personally identifiable information about their customers that is transmitted electronically. So credit card information and other personal information sent by email, SMS text message or other digital means must be encrypted. Under the Nevada law, companies that comply but still have a breach, would have a statutory limit on their liability for damages (i.e., $1,000 per customer per occurrence). But companies that don’t comply would have unlimited civil liability. If these statutes establish the standard by which businesses are judged in protecting sensitive consumer data, then those standards could easily form the basis of a civil argument that a business owner failing to comply has been negligent.

Massachusetts has also enacted measures that, effective in January, will require businesses that gather personal information about its residents to encrypt sensitive data on portable devices such as laptops and wireless devices. These new laws are intended to protect residents and consequently apply to companies out of state that have either customers or operations there. Companies concerned about compliance, even small companies, have started to worry about these new laws—computers that have encrypted hard drives, software that automatically encrypts information, and even tracking devices embedded into portable computers and similar mobile devices, are becoming increasingly popular.